Hi Oliver,
Honestly, I'm 100% on board personally with the concept of 'system' and 'application' containers but industry is trying to pretend that system containers don't exist currently.
I think the new hotness (well, old if you ask Google) is VMs inside containers where we finally admit that Kubernetes is just a scheduler and nothing is new :-D.
Anyway, I don't really see this changing the problem space.
The main issue, in my opinion, is that we keep treating the operating system as a singular "thing" and it is simply not the case.
I think that the SCAP profiles should be bound to each individual application's configuration and they should all be layered using OSCAL. The recommended configurations would then float around with the application instead of a container, the OS, or anything else and inherit as necessary from the underlying operating system.
In a nutshell, this is the classic "system of systems" approach that we all decided was not worth the ROI some time around the birth of Agile. Frankly, I'm not sure if that was an incorrect assumption since we're generally about risk acceptance instead of a "perfect world".
So, if we (as an open source community) decide that things like SWID tags, SCAP, OVAL, and OSCAL are the way of the future then it needs to be moved into the community projects themselves. Otherwise, it's a nice niche area to build business models around that does, in my opinion, make a difference for those that choose to use it.
Trevor
On Mon, May 4, 2020 at 5:53 PM Olivier Bonhomme obonhomme@nerim.net wrote:
Le 04/05/2020 à 17:35, Matej Tyc a écrit :
Is there any other way how to satisfy everybody than to have a profile for unprivileged containers, and specialized profiles for privileged containers?
Hello everybody,
I find this discussion very intersting and I think because of the new raising ecosystem due to the massive use of containers, the way we are hardening system may be rethought (Or at least discussed)
Recently, I read that article https://lwn.net/Articles/796700/ quoting Stéphane Graber from Ubuntu/LXC project and I think he told something very very intersting :
"LXC and LXD are used to create "system containers", which run unmodified Linux distributions, not "application containers" like those created using Docker. The idea is that LXD users will use the same primitives as they would if they were running the distribution in a virtual machine (VM); that they are actually running them on a container is not meant to be visible to them."
After reading that, for me the first question to ask about hardening is not if the container is privileged or unprivileged but how it is built and how it is executed.
The article says (and I agree with it) that there are two categories of containers :
- The application containers (Micro-service architecture) where the
container is very minimalistic : Just the application,the dependencies, and nothing more (For example alpine based containers)
- The system containers : If I sum up quickly, I would say it's a
complete distribution with userland only (No kernel, no bootloader)
For me, if we must think about SCAP profiles for containers, it's easier with system containers because create such a profile could be "just" tailoring a current profile removing everything not applicable (I mean rules about kernel and bootloader). I would say it's a "userland SCAP profile".
For application containers, the approach is very diffent and with some of my colleagues we started to ask ourselves that question : Is it relevant to have an hardening profile on application containers which are very minimalistic ?
As I told before, a well built application container is very minimalistic with normaly only the application running. So generally, this is no authentication layer, no network configuration, no sysctl to configure (generally done at the host level). My point of view, is that when you try to reduce/tailor a SCAP profile for such a container, there is only very few rules to apply. Example: Why hardening a PAM stack which is never used or even not installed ?
Of course, it's just a first analysis with additional questions to answer : What about if you add privilege/unprivileged status and what about container who are between these two worlds ? (But for me the answer can be simple : The container is not well built).
So maybe a first approach would be to focus on these "system containers" and maybe try to define some guidelines for the "application containers" ?
My two cents !
Regards, Olivier Bonhomme
-- L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast. https://www.avast.com/antivirus _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...